TryHackMe:RootMe Walkthrough

RootMe is an introductory-level box available on the TryHackMe platform, designed to assess your skills in directory busting and exploiting unrestricted file upload vulnerabilities. Before delving into this walkthrough, I highly recommend attempting to solve the challenges presented in the room independently. This approach not only enhances your learning experience but also reinforces your understanding of the concepts involved.

FIGURE-1

To access the RootMe room and embark on this learning journey, kindly follow this link: https://tryhackme.com/room/rrootme

Let's dive in!!

Task-1: Deploy the machine.

FIGURE-2

Task-2: Reconnaissance.

In this instance, the box lives at 10.10.138.73 let’s get things started with a quick Nmap scan:

nmap -sV -sC 10.10.138.73

First, let's get information about the target.

Figure-3

Answer the questions below

Question:1 Scan the machine, how many ports are open?

Answer: 2

Question:2 What version of Apache is running?

Answer: 2.4.29

Question:3 What service is running on port 22?

Answer: ssh

Question:4 Find directories on the web server using the GoBuster tool.

Answer: No answer needed

Figure-4

Question:5 What is the hidden directory?

Answer: /panel/

FIGURE-5

Looks like we have an upload form here! Any files uploaded here will populate in /uploads, so we’ll have an easy way to execute anything we upload to the server.

Task-3: Getting a shell.

Find a form to upload and get a reverse shell, and find the flag.

Now try to upload a PHP reverse shell and execute it from the /uploads directory.

For this, I will be using the infamous php-reverse-shell.php from pentestmonkey. You can grab it here: php-reverse-shell

Just copy and paste this code into a text file, and change the information below:

Figure-6

Once this is changed, go ahead and save this as a .php file, and it’s ready for upload! Let’s upload this to the website, navigate to and select the file as you would normally:

And as you click upload it looks like server is not taking .php file. What to do it that case? We know that we have .php file and .php file can go in different extensions, quick look into Google and you will see that other extensions are: .php3, .php4, .php5, .php7, .pthml, .pht.

Figure-7

This is trial and error now, we need to see which one will be accepted. We need to simply edit the extension. I have changed the extension to .php5 and it was accepted by the server.

Figure-8

Now we need to go to ip_addr/uploads/ and also start our netcat listener in the terminal.

Figure-9

Success! We now have a shell on this machine.

Answer the questions below

Question:1 user.txt

Answer: THM{y0u_g0t_a_sh3ll}

Task-4: Privilege escalation.

Now that we have a shell, let's escalate our privileges to root.

Search for files with SUID permission, which file is weird? We need to run command find / -user root -perm /4000 . what it means? It's looking for a file with SUID permission that can be run as root. we need to look carefully into the output of the command to find which file can be exploited to gain root access.

Figure-11

Answer the questions below

Question-1: Search for files with SUID permission, which file is weird?

Answer-1: /usr/bin/python

Question-2: Find a form to escalate your privileges.

Answer-2: No answer needed

How to exploit it? Go to GTFOBins and look for Python GTFO. We need this one:

Figure-12

This is super simple now, we just need to copy this command into our user shell.

command: python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

We need to run the second part of the command here. Type whoami to get confirmation that we indeed are a root user now.

Figure-13

Question-3: root.txt

Answer-3: THM{pr1v1l3g3_3sc4l4t10n}

Hope you enjoy my writeup.